Method and system for establishing a wireless communication link

ABSTRACT

A method of establishing a secure communications link between a user communications device and a first service communications device; the method comprises the steps of initiating a communications link using a first communications protocol between the user communications device and the first service communications device; performing, based on a PIN value, an initialisation procedure between the user communications device and the first service communications device, the initialisation procedure resulting in an identification key; storing the identification key in the user communications device and the first service communications device; the method is characterised in that it further comprises the steps of using a second communications protocol to perform a transaction between the user communications device and a second service communications device; generating and storing the PIN value; the invention further relates to a communications system and a mobile communications device.

FIELD OF THE INVENTION

[0001] This invention relates to a method of establishing a wirelesscommunications link between a user communications device and a servicecommunications device.

BACKGROUND OF THE INVENTION

[0002] Wireless communications technologies are frequently used for awide variety of applications, such as remote controls, wireless networkconnections of computers, e-commerce applications or the like. In manyapplications it is desired to establish a secure communications linkbetween two communications devices. This may for example be desired inorder to minimise the risk of unauthorised use or misuse or the risk ofunauthorised retrieval of information transmitted via the communicationslink. Hence, effective authentication and encryption schemes are desiredin order to mutually authenticate the devices participating in acommunication, and to be able to encrypt the information transmitted viaa communications link.

[0003] An example of a wireless communications technology is theWireless Application Protocol (WAP), which enables mobile communicationsdevices to access the Internet. The WAP protocol is a layered protocolwith a wireless datagram protocol (WDP) as the lowest layer, layered ontop of a network layer and a bearer service which provide the wirelessdata link between a WAP client and a WAP server. Examples of bearerservices include CDPD in an analogue cellular system, SMS and GPRS in aGSM cellular system, Bluetooth, one-way and two-way paging.

[0004] The Bluetooth technology is an example of a short-range wirelesscommunications technology. The Bluetooth technology enables differentunits to communicate at a high speed and may be used in a variety ofapplications including ad-hoc networks of computers and other electronicequipment, e-comnerce applications where a portable electronic usercommunications device may be used as an electronic ticket or key. Theuser communications device, e.g. a mobile phone, may connect to aservice communications device which may grant or deny access to alocation or a service.

[0005] In many of these applications there is a need for a fastauthentication of the user communications device by the servicecommunications device, in particular when the time necessary for thecompletion of an interaction between the user device and a servicedevice should be kept as small as possible.

[0006] The Bluetooth standard (see “Specification of the Bluetoothsystem, Wireless connections made easy”, core version 1.0B, 1999, athttp://www.Bluetooth.com) describes how to create security associationsbetween Bluetooth units, how to authenticate units and how to encryptBluetooth links. Authentication and encryption are based on securitykeys generated by one or both of the units and exchanged during aninitial pairing or initialisation procedure. However, the unitauthentication and link encryption mechanisms require that the twocommunicating units have been paired, i.e. that an initialisationprocedure has been performed and that they share a common secret linkkey. The pairing is performed based on a PIN value.

[0007] The Bluetooth specification suggests that the user may manuallyenter the PIN into the two devices. However, in order to achieve highsecurity during the subsequent sessions the PIN value should be long asit is used as a basis for the generation of the secret link key.Consequently, this solution has the problem that the manual entering ofa long PIN code is time consuming, and errors are likely to occur.

[0008] Alternatively, the Bluetooth specification suggests that the PINvalue may be exchanged between two devices through means supported bysoftware on the application layer, e.g. by a Diffie-Hellman keyagreement. However, the Bluetooth specification does not indicate howthis may be done. Furthermore, it is a problem of this prior artsolution that a Diffie-Hellman key agreement alone does not providesufficiently high security, especially for e-commerce applications, orother applications which require the exchange of sensitive data.

[0009] For the WAP protocol a standardised security protocol calledWireless Transport Layer Security (WTLS) has been described (see“Wireless Transport Layer Security (WTLS)” WAP forum,http://www.wapforum.org). The WTLS protocol may be used to create secureconnections between a WAP client, e.g. a mobile telephone, and a WAPserver, e.g. a WAP service provider.

[0010] Another known security solution for many secure transportapplications in the Internet is the Transport Layer Security (TLS)solution (see T. Dierks and C. Allen, “The TLS Protocol Version 1.0”,IETF RFC 2246, ftp://ftp.isi.edu/in-notes/rfc2246.txt). The goal of theTLS protocol is to provide privacy and data integrity between twocommunicating applications. The TLS protocol is composed of two layerswhich my be layered on top of a reliable transport layer, such as TCP.

[0011] However, it is a disadvantage of these prior art methods thatusing the higher level security functions during communication requiresan implementation of a WTLS or TLS server in the communicating Bluetoothunits. This would imply additional storage and memory requirements.

[0012] It is a further disadvantage of these prior art methods thatsetting up a higher level communication, such as a WSP or http sessionwith WTLS or TLS, between a client and a server takes a long time. Thistime may exceed the time available for an e-commerce interaction.

[0013] It is a further disadvantage of these prior art methods that theyrequire a bearer protocol that supports WTLS or TLS, such as IP, to beavailable between the two Bluetooth units.

[0014] Hence, it is an object of the invention to provide a method and asystem for a fast, efficient set-up of secure connections betweenwireless communication units.

SUMMARY OF THE INVENTION

[0015] This and other objects are achieved when a method of establishinga secure communications link between a user communications device and afirst service communications device, the method comprising the steps of

[0016] exchanging a first identification key via a first communicationsprotocol between the user communications device and a selected one ofthe first service communications device and a second servicecommunications device;

[0017] generating, based on the first identification key, a secondidentification key for use during subsequent communications sessionsbetween the user communications device and the first servicecommunications device via a second communications protocol;

[0018] storing the second identification key in a first storage means ofthe user communications device and in a second storage means of thefirst service communications device;

[0019] is characterised in that the method further comprises the step of

[0020] authenticating the first communications protocol using apre-configured trust relation between the user communications device andthe corresponding first or second service communications device.

[0021] According to the invention, the second identification key isgenerated on the basis of a first identification key which, in turn, isprovided as a result of an authenticated key exchange protocol. Theauthentication of the key exchange protocol is based on a pre-configuredtrust relation between the user communications device and thecorresponding first or second service communications device. Examples ofsuch trust relations include a shared secret, a certificate, a publickey, etc. The authentication of the key exchange protocol providessufficient security even for sensitive e-commerce applications, withoutrequiring a cumbersome manual input of a lengthy PIN code. The keyexchange may be part of a transaction, e.g. an initialisation proceduresuch as a handshake operation, between the user communications deviceand the first service communications device. Alternatively, the keyexchange may be performed with a second communications device, e.g. adedicated subscription device or a remote network server.

[0022] Consequently, it is possible to generate and exchange a longfirst identification key, thereby increasing the security related to thesecond identification key which is based upon the first identificationkey. At the same time, the key exchange is performed in a fast andefficient manner without the need for manually inputting a key code,such as a PIN. It is a further advantage of the invention that, insubsequent communications sessions, a secure link may be establishedbased upon the second identification key without the need fortime-consuming communication via the first protocol.

[0023] Consequently, the method according to the invention results in asecond identification key which may be used in subsequent communicationssessions between the user communications device and the first servicecommunications device, e.g. for unit authentication, encryption or thelike. The establishment of a secure communications link comprises theinitial establishment of a connection and an initialisation procedureincluding the generation of an identification key which may be used forauthentication and encryption.

[0024] It is an advantage of the invention that the first communicationsprotocol is only needed during the initial session when generating thefirst identification key. If the identification key is transferred toother service communications devices, the identification key may also beused for setting up secure connections between the user communicationsdevice and the other service communications devices.

[0025] The first storage means may for example be a physical memory,such as a RAM, in the user communications device or a, possiblydynamically, allocated part of the memory of a processing unit of theuser communications device.

[0026] Other examples of storage means are storage media such as a harddisk, a SIM card, or the like. Likewise, the second storage means may bea memory or storage medium in the first service communications device ora memory or storage medium which the first service communications devicehas access to, e.g. via a computer network.

[0027] In a preferred embodiment of the invention

[0028] the second communications protocol is a Bluetooth basebandprotocol;

[0029] the second identification key is a Bluetooth link key; and

[0030] the step of generating the second identification key comprisesthe steps of

[0031] performing a baseband pairing of respective Bluetooth basebandlayers of the user communications device and the first servicecommunications device; and

[0032] generating a Bluetooth initialisation key on the basis of thefirst identification key.

[0033] It is an advantage of the invention that it provides an efficientand fast method of setting up a secure connection between two Bluetoothunits.

[0034] In another embodiment, the second identification key may begenerated as part of another initialisation procedure of the secondcommunications protocol between the user communications device and thefirst service communications device.

[0035] Alternatively, the step of generating the second identificationkey on the basis of the first identification key may comprise the stepof using the first identification key directly as the secondidentification key, e.g. as the Bluetooth link key, thereby avoiding anadditional initialisation procedure.

[0036] The first and second communications protocols may be implementedon top of any suitable communications channel, including a wirelesscommunications link, e.g. radio-based, infrared or the like.

[0037] In a further preferred embodiment of the invention the secondcommunications protocol is a lower-layer protocol than the firstcommunications protocol with respect to a layered communications model.

[0038] When the first communications protocol is selected from the classof protocols comprising TLS and WTLS, existing protocols and theirrespective security mechanisms may be utilised. Examples of suchsecurity mechanisms include WTLS in connection with WAP and TLS inconnection with IP. Alternatively or additionally, other suitablecommunications protocols may be used.

[0039] It is a further advantage of the invention that it allowsutilisation of already existing security functions of portable usercommunications devices, such as mobile phones, PDAs and laptops.

[0040] In an advantageous embodiment of the invention the step ofauthenticating the first communications protocol comprises a handshakeoperation, and the first identification key is derived from a sharedsecret established during the handshake operation. It is an advantage ofthis embodiment that existing key generation and key exchange functionsmay be adopted, thereby providing a particularly efficient way ofexchanging the first identification code with little overhead. Theshared secret may for example be the shared secret of a WTLS or a TLSsecurity protocol.

[0041] The user communications device, the first and the second servicecommunications devices may be any electronic equipment or part of suchelectronic equipment, where the term electronic equipment includescomputers, such as stationary and portable PCs, Bluetooth. accesspoints, stationary and portable radio communications equipment. The termportable radio communications equipment includes mobile stations such asmobile telephones, pagers, communicators, i.e. electronic organisers,smart phones, PDAs, or the like.

[0042] In a preferred embodiment of the invention, the second servicecommunications device is a server computer of a communications network,e.g. a personal computer, a work station, a server of a serviceprovider, or the like.

[0043] In another preferred embodiment of the invention the step ofexchanging the first identification key further comprises the steps of

[0044] establishing a communications link between the usercommunications device and the second service communications device, andgenerating and storing in a third storage means of the usercommunications device an identification code related to the firstidentification key;

[0045] the method further comprises the step of communicating the firstidentification key and the identification code from the second servicecommunications device to the first service communications device; and

[0046] the step of generating the second identification key furthercomprises the steps of transmitting the identification code from thefirst service communications device to the user communications device,and, on the basis of the identification code, retrieving the firstidentification key from the first storage means.

[0047] It is an advantage of this embodiment that the communicationssession comprising the initial key exchange via the first protocol mayutilise a different communications link than the second protocol, andthat the key exchange may be performed between the user communicationsdevice and a second service communications device, which may bedifferent from the first service communications device. Hence, a usermay subscribe to a service and obtain a corresponding identification keyin a separate communications session, e.g. a communications session witha remote server of the service provider. The identification key maysubsequently be used to initialise a secure communications link with thefirst service communications device. In order to identify the storedfirst identification key in the subsequent session, an identificationcode is generated and stored together with the identification key. Thethird storage means may be a separate memory or storage medium or it maybe the same as the first storage means.

[0048] It is a further advantage of the invention that no applicationlayer security mechanism, such as WTLS or TLS, or the correspondingbearer protocol, such as WAP or IP, is required in connection with thesecond communications link.

[0049] In a preferred embodiment of the invention the communicationslink uses a protocol selected from the class of protocols comprisingTCP/IP and WAP.

[0050] When the method further comprises the step of performing asubscription transaction via the first communications protocol, theexchange of the first identification key may be performed during asubscription session to a service, which may comprise a transaction suchas a payment, the transmission of credit card information, the receiptof e-tickets, a PIN number or the like, and thus may require a secureconnection.

[0051] The invention further relates to a communications systemcomprising

[0052] a user communications device and a first service communicationsdevice,

[0053] the user communications device including

[0054] first communications means adapted to communicate via a firstcommunications protocol with a selected one of the first servicecommunications device and a second service communications device;

[0055] first processing means adapted to exchange a first identificationkey with the corresponding first or second service communicationsdevice;

[0056] the user communications device and the first servicecommunications device including

[0057] respective second and third communications means adapted tocommunicate via a second communications protocol; and

[0058] respective second and third processing means adapted to generate,based on the first identification key, a second identification key foruse during subsequent communications sessions between the usercommunications device and the first service communications device viathe second communications protocol; and

[0059] respective first and second storage means adapted to store thesecond identification key.

[0060] The communications system is characterised in that the usercommunications device further comprises fourth processing means adaptedto authenticate the first communications protocol using a pre-configuredtrust relation between the user communications device and thecorresponding first or second service communications device.

[0061] The term processing means comprises general- or special-purposeprogrammable microprocessors, Digital Signal Processors (DSP),Application Specific Integrated Circuits (ASIC), Programmable LogicArrays (PLA), Field Programmable Gate Arrays (FPGA), etc., or acombination thereof. The processing means may be a CPU of a computer, amicroprocessor, a smart card, a SIM card, or the like.

[0062] The term communications means comprises circuitry and/or devicessuitable for enabling the communication of data between the usercommunications device and the first or second service communicationsdevice and /or between the first and second service communicationsdevices, e.g. via a wired or a wireless data link. Examples of suchcommunications means include a network interface, a network card, aradio transmitter/receiver, a cable modem, a telephone modem, anIntegrated Services Digital Network (ISDN) adapter, a Digital SubscriberLine (DSL) adapter, a satellite transceiver, an Ethernet adapter, or thelike. For example, the user communications device may be connected tothe first or second service communications device via a short rangewireless communications link using electromagnetic signals, such asinfrared light, e.g. via an IrDa port, radio-based communications, e.g.via Bluetooth transceivers, or the like. Alternatively, the usercommunications device may be adapted to establish a connection with thesecond service communications device via a radio interface forconnecting it to a wireless telecommunications network, such as aCellular Digital Packet Data (CDPD) network, a Global System for Mobile(GSM) network, a Code Division Multiple Access (CDMA) network, a TimeDivision Multiple Access Network (TDMA), a General Packet Radio service(GPRS) network, a Third Generation network, such as a UMTS network, orthe like.

[0063] In a preferred embodiment of the invention the usercommunications device is a mobile station, where the term mobile stationcomprises mobile telephones, pagers, communicators, i.e. electronicorganisers, smart phones, PDAs, and the like.

[0064] As the advantages of the communications system according to theinvention and its preferred embodiments correspond to the advantages ofthe method and its corresponding embodiments described above and in thefollowing, these will not be described again.

[0065] The invention further relates to a mobile communications deviceadapted to establish a wireless communications link with a first servicecommunications device, the mobile communications device comprising

[0066] first communications means adapted to communicate with a selectedone of the first service communications device and a second servicecommunications device;

[0067] first processing means adapted to exchange a first identificationkey with the corresponding first or second service communicationsdevice;

[0068] second communications means adapted to communicate with the firstcommunications device via a second communications protocol; and

[0069] second processing means adapted to generate, based on the firstidentification key, a second identification key for use duringsubsequent communications sessions between the user communicationsdevice and the first service communications device via the secondcommunications protocol; and

[0070] first storage means adapted to store the second identificationkey.

[0071] The mobile communications device is characterised in that itfurther comprises

[0072] third processing means adapted to authenticate the firstcommunications protocol using a pre-configured trust relation betweenthe mobile communications device and the corresponding first or secondservice communications device.

[0073] As the advantages of the mobile communications device accordingto the invention and its preferred embodiments correspond to theadvantages of the method and its corresponding embodiments describedabove and in the following, these will not be described again.

[0074] The invention further relates to, in a user communicationsdevice, a method of establishing a secure communications link betweenthe user communications device and a first service communicationsdevice, the method comprising the steps of

[0075] exchanging a first identification key via a first communicationsprotocol between the user communications device and a selected one ofthe first service communications device and a second servicecommunications device;

[0076] on the basis of the first identification key, generating a secondidentification key for use during subsequent communications sessionsbetween the user communications device and the first servicecommunications device via a second communications protocol.

[0077] The method is characterised in that it further comprises thesteps of

[0078] authenticating the first communications protocol using apre-configured trust relation between the user communications device andthe corresponding first or second service communications device.

[0079] The invention further relates to a computer program comprisingprogram code means for performing all the steps of the method describedabove and below when said program is run on a microprocessor.

[0080] The invention further relates to a computer program productcomprising program code means stored on a computer readable medium, e.g.a SIM card, for performing the method described above and below whensaid computer program product is run on a microprocessor.

[0081] The invention further relates to an identification key when usedas the first identification key in the method described above and in thefollowing. Preferably, the identification key is a shared secretgenerated by a higher-layer protocol and used for subsequentauthentication in the lower-layer communication.

[0082] In the following, the invention will be described in connectionwith the Bluetooth technology. However, it is understood that a personskilled in the art will be able to adapt the invention to other wirelesscommunications technologies.

BRIEF DESCRIPTION OF THE DRAWINGS

[0083] The invention will be explained more fully below in connectionwith preferred embodiments and with reference to the drawings, in which:

[0084]FIG. 1 shows an example of a situation where the method accordingto the invention may be applied;

[0085]FIG. 2a shows a block diagram of a system according to theinvention;

[0086]FIG. 2b shows a schematic view of the communications stack of afirst embodiment according to the invention;

[0087]FIG. 3a shows a flow diagram of a communications session accordingto an embodiment of the invention which may be used in connection withthe system of FIG. 2a;

[0088]FIG. 3b shows a message flow of the communications session of FIG.3a;

[0089]FIG. 4 shows a block diagram of a system according to a secondembodiment of the invention;

[0090]FIG. 5a shows a first example of a message flow of acommunications session according to an embodiment of the invention whichmay be used in connection with the system of FIG. 4; and

[0091]FIG. 5b shows a second example of a message flow of acommunications session according to an embodiment of the invention whichmay be used in connection with the system of FIG. 4.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0092]FIG. 1 illustrates, as an example of an application of theinvention, the use of a Bluetooth mobile phone for public transportticketing.

[0093] In this example, we consider the situation where public transportcustomers 105-107 have the opportunity to subscribe to a service wherethey are able to use a mobile phone 105 a-107 a, respectively, as a usercommunications device for the storing and presentation of an electronicticket for the underground transport. A solution using Bluetoothtransceivers 102 a-f at the underground gates 103 a-c as servicecommunications devices is shown in FIG. 1.

[0094] Customers 105-107 enter the underground via a lobby area 109which is separated from the underground platform area 108 by walls 110with gates 103 a-c. Only customers with a valid ticket are allowed topass through the gates 103 a-c.

[0095] In the example of FIG. 1, a Bluetooth “pre-scanning” transceiver101 scans for all Bluetooth units entering the underground area. Whenthe transceiver 101 has established a connection to an approachingBluetooth unit 106 a, information about the approaching unit 106 a isforwarded by the transceiver 101 to the transceivers 102 a-f at thegates 103 a-c. Based on that information, the transceivers 102 a-f maypage the Bluetooth units that pass the gates, and one of thetransceivers 102 b may grant access to a Bluetooth unit 105 a, if it isauthenticated or if it can present a valid electronic ticket over thecorresponding Bluetooth link. Hence, this is an example of anapplication where the time of interaction between the Bluetooth unit 106a and the transceiver 102 b should not exceed the time it takes thecustomer 106 to walk through the gate 103 a.

[0096] In the example of FIG. 1, a user 107 who arrives in theunderground area 109 and who has not yet subscribed to the electronicticket service, may subscribe to the service by connecting his Bluetoothdevice 107 a to a Bluetooth access point 104 of the service provider viaa Bluetooth service device 104 a. At the access point 104, the customer104 may perform a payment transaction, select a desired subscription,and receive a link key. With the link key, the user's Bluetooth device107 a may subsequently establish secure Bluetooth connections with theBluetooth transceivers 101 and 102 a-f.

[0097]FIG. 2a shows a block diagram of a system according to anembodiment of the invention, comprising a user communications device201, and a service communications device 211. A user communicationsdevice may be standard electronic equipment or part of such electronicequipment, where the term electronic equipment includes computers, suchas stationary and portable PCs, stationary and portable radiocommunications equipment. The term portable radio communicationsequipment includes mobile stations such as mobile telephones, pagers,communicators, i.e. electronic organisers, smart phones, PDAs, or thelike. The user communications device 201 in FIG. 2a comprises aBluetooth transceiver 206 for connecting the user communications device201 to the service communications device 211. The transceiver 206 isconnected to a microprocessor 204 including a RA 204 a. Themicroprocessor 204 is connected to a memory unit 205 which may comprisea ROM section 205 a and an EPROM/EEPROM section 205 b. In the ROMsection computer-executable program. code is stored which, when loadedin the microprocessor 204, implements the software applications of thedevice 201, such as the different layers of the Bluetooth protocol andother communications protocols, as will be described in connection withFIG. 2b, security and encryption software, application software formanaging service-specific functionality, such as displaying the statusof a subscription or the like. In the EPROM/EEPROM section, applicationdata may be stored, such as PIN codes, subscription data, link keys,etc. The memory unit 205 may for example be a SIM card of a mobilephone. The microprocessor 204 is further connected to a user interfaceunit 202 which comprises a display 202 a and a keypad 202 b. The display202 a may be used for displaying subscription information, e.g. thenumber of trips left on the user's account. The keypad 202 b may be usedfor entering PIN codes, selecting different services, acknowledgingpayments, etc. Alternatively or additionally, the user interface unit202 may comprise other input means, e.g. a touch screen.

[0098] The service communications device 211, e.g. the Bluetooth unit104 a at the service access point 104 shown in FIG. 1, may comprisecomponents similar to the user communications device: a Bluetoothtransceiver 216, a processing unit 214 including a RAM 214 a, a memory215 with a ROM section 215 a and an EPROM/EEPROM section 215 b.

[0099] Alternatively or additionally, the service communications devicemay be connected, e.g. via a LAN, to a server computer executing atleast part of the application software, e.g. for the management of linkkeys, subscription management, etc., and which may provide at least partof the storage capacity of the service communications device, e.g. RAMor another storage medium such as a hard disk.

[0100] The service communications device may include its own userinterface, or it may be connected to e.g. a separate customer accessterminal providing a user interface.

[0101] Furthermore, the service communications device may be connectedto a network with multiple nodes, e.g. other service communicationsdevices.

[0102]FIG. 2b shows a schematic view of the communications stackimplemented at the user communications device 221 and the servicecommunications device 222 according to an embodiment of the invention.The example illustrated in FIG. 2b corresponds to the exchange of anidentification key via a WAP connection with WTLS and the use of thatidentification key in the pairing of two Bluetooth units. At the usercommunications device 221, the layers of the WAP stack 230 on top of theBluetooth stack 236 are shown. The Bluetooth stack 236 includes thebaseband 236 a which performs the security pairing with the baseband 239a of the Bluetooth stack 239 of the service communications device 222.The actual communications link 238 between the two units 221 and 222 isestablished at the physical layers 236 b and 239 b of the respectivecommunications stacks. The Bluetooth security is managed, via theinterfaces 235 a-b and 241 a-b, by the Bluetooth security manager 234 atthe user communications device 221 and the security manager 240 at theservice communications device 222, respectively.

[0103] In order to exchange the identification key or PIN value duringthe initial communications session, a secure connection 237 isestablished via WTLS on a WAP bearer. The security at this level ismanaged by the respective WTLS managers 231 and 243 and their respectiveinterfaces 232 a-b and 244 a-b to the corresponding WAP stacks 230 and245, respectively.

[0104] When the PIN value is exchanged via the WAP connection 237 itmay, according to the invention, be communicated from the WTLS manager231 at the user communications device 221 to the Bluetooth securitymanager 234 via the interface 233. Correspondingly, the PIN value may becommunicated from the WTLS manager 243 at the service communicationsdevice 222 to the corresponding Bluetooth security manager 240 via theinterface 242.

[0105]FIG. 3a illustrates a flow diagram of a communications sessionaccording to a first embodiment of the invention, e.g. between a usercommunications device and a service communications device as describedin connection with FIGS. 2a-b. Initially, in step 301, the usercommunications device connects, via Bluetooth, to the servicecommunications device, e.g. at a service access 104 shown in FIG. 1.Initially, the Bluetooth connection is established without using anybaseband security functions. On top of the Bluetooth connection, a WTLSconnection is established in step 302 and a handshake procedure isperformed. Alternatively, another higher level protocol, e.g. TLS, maybe used for setting up a secure connection. A result of the WTLShandshake protocol is a shared secret 303 or master secret between theclient in the user communications device and the server in the serviceaccess point. When the secure WTLS connection has been established,additional transactions may be performed in step 304. For example, theserver may charge the user, e.g. by requesting credit card information,or it may perform a customer registration procedure. Subsequently, instep 305, the two Bluetooth units perform a baseband secure pairing. Theidentification key or PIN value 303 used for the pairing is the WTLSmaster secret or a secure value derived from the master secret. FIG. 3billustrates the message flow during the communications session describedin connection with FIG. 3a. The messages and message sequences betweenthe user communications device 310 and the service communications device311 are illustrated as horizontal arrows between the two vertical lines310 a and 311 a representing the user communications device 310 and theservice communications device 311, respectively. After a connectionbetween the user communications device 310 and the servicecommunications device 311 is established by the message sequence 312, aWTLS handshake is performed by the message sequence 313. A result of theWTLS handshake interaction is a shared secret or ‘master secret’. At theservice communications device 311, the shared secret and a correspondingidentifier, e.g. the BD_ADDR of the user communications device, arecommunicated from the WTLS manager to the Bluetooth security manager viathe interface 242 shown in FIG. 2b and stored as a PIN value andcorresponding BD_ADDR in a memory or a storage medium 315, e.g. via afunction ‘store_PIN’ 314. At the user communications device 310, theshared secret and a corresponding BD_ADDR are communicated from the WTLSmanager to the Bluetooth security manager via the interface 233 shown inFIG. 2b and stored as a PIN value and corresponding BD_ADDR in a memoryor a storage medium 317, e.g. via a corresponding function ‘store_PIN’316.

[0106] After a secure WTLS handshaking is established a furthertransaction 318 may be performed. The stored PIN value may be retrievedfrom the memories or storage media 315 and 317, respectively, viacorresponding ‘get_PIN’ functions 319 and 323. On the basis of the PINvalue, an initialisation key may be calculated at the usercommunications device and the service communications device,respectively. The initialisation key is used during the pairing sequence321 which comprises unit authentication based on the initialisation keyand the generation and exchange of a link key. The link key is stored inthe memory or storage media 325 at the user communications device and327 at the service communications device, respectively, e.g. viarespective ‘store_key’ functions 326 and 328. After this initialisationprocedure the user communications device and the service communicationsdevice may continue to communicate or disconnect the communicationslink. In subsequent communications session between the usercommunications device and the service communications device, unitauthentication may be performed directly on the basis of the stored linkkey without establishing a WTLS handshake, the generation and/orexchange of PIN values and initialisation keys. If encryption isdesired, an encryption key may be derived from the link key.

[0107] It is understood that instead of using the shared secretresulting from the WTLS handshake procedure as a PIN value, a valuederived from that shared secret may be used. Alternatively, the usercommunications device and/or the service communications device maygenerate the PIN value independently of the shared secret, and transferthe PIN value to the respective other device over the secure WTLS link.

[0108] It is further understood that another secure handshake protocolmay be used instead of WTLS, for example the TLS protocol in connectionwith an IP bearer.

[0109] It is further understood that the PIN value may be used as a linkkey directly, instead of using the PIN value as a basis for thegeneration of the initialisation key which, in turn, is used during thepairing of the Bluetooth units resulting in a common link key Hence,instead of using the PIN value as an input to the process whichgenerates the initialisation key, the PIN value, or a value derived fromit, may be stored directly as a link key in both devices. Hence, in asubsequent session, the existence of the link key will be detected and apairing of the Bluetooth devices is not necessary.

[0110] Now referring to FIG. 4, in a second embodiment of the invention,the system comprises a user communications device 401, a servicecommunications device 411, and a service provider server 418. The usercommunications device 401 may be standard electronic equipment or partof such electronic equipment as described in connection with FIG. 2a.The user communications device 401 comprises a Bluetooth transceiver 406for connecting the user communications device 401 to the servicecommunications device 411. The transceiver 406 is connected to amicroprocessor 404 including a RAM 404 a. The microprocessor 404 isconnected to a memory unit 405 which may comprise a ROM section 205 aand an EPROM/EEPROM section 405 b as described in connection with FIG.2a. The microprocessor 404 is further connected to a user interface unit402 which comprises a display 402 a and a keypad 402 b. The usercommunications device further comprises a transmit/receive aerial 403for transmitting and receiving radio signals via a telecommunicationsnetwork 420. The aerial 403 is connected to the microprocessor 404, andsignals received via the aerial 403 are routed to the microprocessor404, and the microprocessor 404 may initiate and control thetransmission of signals via the aerial 403.

[0111] The service communications device 411 may comprise componentssimilar to the user communications device: A Bluetooth transceiver 416,a processing unit 414 including a RAM 414 a, a memory 415 with a ROMsection 415 a and an EPROM/EEPROM section 415 b. The servicecommunications device 411 further comprises an interface unit 617 forconnecting the service communications device to a communications network419, such as a LAN, a WAN, the Internet, or another suitablecommunications network.

[0112] Alternatively or additionally, as described in connection withFIG. 2a, the service communications device 411 may be connected to aserver computer, a customer service terminal, and/or other servicecommunications devices.

[0113] Via the aerial 403, the user communications device 401 maycommunicate, e.g. via a telecommunications network 420 provided by atelecommunications provider, with the service provider server 418. Theuser communication device 401 and the service provider server 418 mayestablish a secure connection, e.g. via WTLS or TLS, and exchange a PINvalue. The PIN value may be transferred from the service provider server418 via the communications network 419 to the service communicationsdevice 411.

[0114] It is understood that the communication between the usercommunications device and the service provider server may be establishedvia other communications means. For example, the user communicationsdevice may be connected to a computer, e.g. via a serial port such as anIrDa port, and the computer may communicate with the service providerserver via the Internet. Hence, the PIN value may be exchanged betweenthe computer and the service provider server and subsequentlytransferred from the computer to the user communications device. Inanother embodiment, the user communications device may comprise anetwork interface for connecting the user interface to a LAN such thatthe user communications device may connect to the Internet via a webserver on the LAN.

[0115]FIG. 5a illustrates a first example of a message flow during acommunications session according to an embodiment of the invention whichmay be used in connection with the system of FIG. 4. Initially, acommunications link, e.g. via a telecommunications network and WAP,between the user communications device 510 and the service provider 511is established by the message sequence 513. Via the subsequent messagesequence 514, a WTLS handshake is performed. A result of the WTLShandshake interaction is a shared secret or ‘master secret’. After thehandshake and a possible further key exchange 516, the shared secret, oranother secret PIN value generated during the WTLS session, is availableboth at the user communications device 510 and the service provider 511.Furthermore, the user communications device receives a serviceidentifier identifying the service to which the user has subscribed.Preferably, the service provider receives the Bluetooth device address(BD_ADDR) of the user communications device. At the user communicationsdevice, the shared secret is communicated from the WTLS manager to theBluetooth security manager and stored as a PIN value, together with theservice identifier, in a memory or a storage medium 518, e.g. via acorresponding function ‘store_PIN’ 517. The PIN value and the BD_ADDRmay be transmitted from the service provider 511 to the servicecommunications device 512, e.g. via the network 419 in FIG. 4. In theservice communications device 512, the PIN value and the BD_ADDR arestored in a memory or a storage medium 520, e.g. via a ‘store_PIN’function 521. The communications link between the user communicationsdevice 510 and the service provider 511 may be closed, or thecommunication may be continued in order to perform other transactions.

[0116] In a subsequent communications session, e.g. in the example ofFIG. 1, when a user enters the underground lobby for the first timeafter having subscribed to an e-ticket service via the Internet, theuser communications device 510 and the service communications device 512establish, during interaction 522, a Bluetooth connection. During aservice discovery sequence 523, the user communications device 510receives the service identifier from the service communications device512. Based on the service identifier, the user communications device 510may, in step 525, retrieve the PIN value from the memory or storagemedium 518. In step 528, based on the BD_ADDR of the user communicationsdevice, the service communications device 512 may retrieve the PIN valuefrom its memory or storage medium 520. On the basis of the PIN value,the user communications device and the service communications device 512may now perform a secure baseband pairing 530 and, as described inconnection with FIG. 3b, store the resulting link key in theirrespective memories or storage media 532 or 534. After thisinitialisation procedure the user communications device 510 and theservice communications device 512 may continue to communicate ordisconnect the communications link. In a subsequent communicationssession between the user communications device 510 and the servicecommunications device 512, the unit authentication may be performeddirectly on the basis of the stored link key without establishing a WTLShandshake, generating and/or exchanging PIN values or initialisationkeys. If encryption is desired, an encryption key may be derived fromthe link key.

[0117] It is understood that another secure handshake protocol may beused instead of WTLS, for example the TLS protocol in connection with anIP bearer.

[0118]FIG. 5b illustrates a second example of a message flow during acommunications session according to an embodiment of the invention whichmay be used in connection with the system of FIG. 4. Like in the exampleof FIG. 5a, a secure WTLS connection is established (transaction 513 and514) between the user communications device 510 and the service provider511. A subscription transaction 515 may be performed and a PIN value aswell as a service identifier is exchanged in a key exchange sequence535. According to this embodiment of the invention, an additional PINidentifier is generated and exchanged during the key exchange sequence535. During sequence 539, the PIN value and the PIN identifier aretransferred to the service communications device 512 and, in step 541,stored in the memory or storage medium 520. At the user communicationsdevice 510, the PIN value, the service ID and the PIN identifier arestored in the memory or storage medium 518, in step 536.

[0119] Subsequently, in step 522, a Bluetooth connection between theuser communications device 510 and the service communications device 512is established as described in connection with the example of FIG. 5a,and a service discovery sequence 523 is performed. At the usercommunications device, the PIN value and the PIN identifier areretrieved from the memory or storage medium 518, in step 545, based onthe service identifier. During the message sequence 547, the PINidentifier is transmitted to the service communications device 512 whichmay subsequently retrieve the PIN value from its memory or storagemedium 520, in step 550. Once the PIN value is available at the usercommunications device 510 and the service communications device 512, theBluetooth pairing 530 and the storage of the resulting link key may beperformed as described in connection with FIG. 5a.

1. A method of establishing a secure communications link between a usercommunications device and a first service communications device, themethod comprising the steps of exchanging a first identification key viaa first communications protocol between the user communications deviceand a selected one of the first service communications device and asecond service communications device; generating, based on the firstidentification key, a second identification key for use duringsubsequent communications sessions between the user communicationsdevice and the first service communications device via a secondcommunications protocol; storing the second identification key in afirst storage means of the user communications device and in a secondstorage means of the first service communications device; characterisedin that the method further comprises the step of authenticating thefirst communications protocol using a pre-configured trust relationbetween the user communications device and the corresponding first orsecond service communications device.
 2. A method according to claim 1,characterised in that the second communications protocol is a Bluetoothbaseband protocol; the second identification key is a Bluetooth linkkey; and the step of generating the second identification key comprisesthe steps of performing a baseband pairing of respective Bluetoothbaseband layers of the user communications device and the first servicecommunications device; and generating a Bluetooth initialisation key onthe basis of the first identification key.
 3. A method according toclaim 1 or 2, characterised in that the second communications protocolis a lower-layer protocol than the first communications protocol withrespect to a layered communications model.
 4. A method according to anyone of the claims 1 through 3, characterised in that the firstcommunications protocol is selected from the class of protocolscomprising TLS and WTLS.
 5. A method according to any one of the claims1 through 4, characterised in that the step of authenticating the firstcommunications protocol comprises a handshake operation, and the firstidentification key is derived from a shared secret established duringthe handshake operation.
 6. A method according to any one of the claims1 through 5, characterised in that the second service communicationsdevice is a server computer of a communications network.
 7. A methodaccording to any one of the claims 1 through 6, characterised in thatthe step of exchanging the first identification key further comprisesthe steps of establishing a communications link between the usercommunications device and the second service communications device, andgenerating and storing in a third storage means of the usercommunications device an identification code related to the firstidentification key; the method further comprises the step ofcommunicating the first identification key and the identification codefrom the second service communications device to the first servicecommunications device; and the step of generating the secondidentification key further comprises the steps of transmitting theidentification code from the first service communications device to theuser communications device, and, on the basis of the identificationcode, retrieving the first identification key from the first storagemeans.
 8. A method according to claim 7, characterised in that thecommunications link uses a protocol selected from the class of protocolscomprising TCP/IP and WAP.
 9. A method according to any one of theclaims 1 through 8, characterised in that the method further comprisesthe step of performing a subscription transaction via the firstcommunications protocol.
 10. A method according to any one of the claims1 through 9, characterised in that the step of generating the secondidentification key comprises the step of using the first identificationkey directly as the second identification key.
 11. A communicationssystem comprising a user communications device and a first servicecommunications device, the user communications device including firstcommunications means adapted to communicate via a first communicationsprotocol with a selected one of the first service communications deviceand a second service communications device; first processing meansadapted to exchange a first identification key with the correspondingfirst or second service communications device; the user communicationsdevice and the first service communications device including respectivesecond and third communications means adapted to communicate via asecond communications protocol; and respective second and thirdprocessing means adapted to generate, based on the first identificationkey, a second identification key for use during subsequentcommunications sessions between the user communications device and thefirst service communications device via the second communicationsprotocol; and respective first and second storage means adapted to storethe second identification key; characterised in that the usercommunications device further comprises fourth processing means adaptedto authenticate the first communications protocol using a pre-configuredtrust relation between the user communications device and thecorresponding first or second service communications device.
 12. Acommunications system according to claim 11, characterised in that thesecond communications protocol is a Bluetooth baseband protocol; thesecond and third processing means are adapted to implement a basebandpairing operation of the user communications device with the firstservice communications device, and to generate a Bluetoothinitialisation key based on the first identification key; and the secondidentification key is a Bluetooth link key.
 13. A communications systemaccording to claim 11 or 12, characterised in that the secondcommunications protocol is a lower-layer protocol than the firstcommunications protocol with respect to a layered communications model.14. A communications system according to any one of the claims 11through 13, characterised in that the first communications protocol isselected from the class of protocols comprising TLS and WTLS.
 15. Acommunications system according to any one of the claims 11 through 14,characterised in that the first identification key is derived from ashared secret established during a handshake operation between the usercommunications device and the corresponding first or second servicecommunications device.
 16. A communications system according to any oneof the claims 11 through 15, characterised in that the second servicecommunications device is a server computer of a communications network.17. A communications system according to any one of the claims 11through 16, characterised in that the first communications means isadapted to establish a communications link with the second servicecommunications device; the first processing means is further adapted toexchange an identification code related to the first identification keywith the second service communications device; the user communicationsdevice further comprises third storage means adapted to store the firstidentification key and the identification code; the first communicationsmeans comprises fourth communications means adapted to receive the firstidentification code from the second service communications device; andthe second processing means is adapted to retrieve the firstidentification key from the first storage means, on the basis of thereceived identification code.
 18. A communications system according toclaim 17, characterised in that the communications link uses a protocolselected from the class of protocols comprising TCP/IP and WAP.
 19. Acommunications system according to any one of the claims 11 through 18,characterised in that the user communications device is a mobilestation.
 20. A communications system according to claim 19,characterised in that the user communications device is a mobile phone.21. A mobile communications device adapted to establish a wirelesscommunications link with a first service communications device, themobile communications device comprising first communications meansadapted to communicate with a selected one of the first servicecommunications device and a second service communications device; firstprocessing means adapted to exchange a first identification key with thecorresponding first or second service communications device; secondcommunications means adapted to communicate with the firstcommunications device via a second communications protocol; and secondprocessing means adapted to generate, based on the first identificationkey, a second identification key for use during subsequentcommunications sessions between the user communications device and thefirst service communications device via the second communicationsprotocol; and first storage means adapted to store the secondidentification key; characterised in that the mobile communicationsdevice further comprises third processing means adapted to authenticatethe first communications protocol using a pre-configured trust relationbetween the mobile communications device and the corresponding first orsecond service communications device.
 22. A mobile communications deviceaccording to claim 21, characterised in that the mobile communicationsdevice is a mobile station.
 23. A mobile communications device accordingto claim 22, characterised in that the mobile communications device is amobile phone.
 24. In a user communications device, a method ofestablishing a secure communications link between the usercommunications device and a first service communications device, themethod comprising the steps of exchanging a first identification key viaa first communications protocol between the user communications deviceand a selected one of the first service communications device and asecond service communications device; on the basis of the firstidentification key, generating a second identification key for useduring subsequent communications sessions between the usercommunications device and the first service communications device via asecond communications protocol; characterised in that the method furthercomprises the steps of authenticating the first communications protocolusing a pre-configured trust relation between the user communicationsdevice and the corresponding first or second service communicationsdevice.
 25. A method according to claim 24, characterised in that thesecond communications protocol is a Bluetooth baseband protocol; thesecond identification key is a Bluetooth link key; and the step ofgenerating the second identification key comprises the steps ofperforming a baseband pairing with the first service communicationsdevice; and generating a Bluetooth initialisation key based on the firstidentification key.
 26. A method according to claim 24 or 25,characterised in that the second communications protocol is alower-layer protocol than the first communications protocol with respectto a layered communications model.
 27. A method according to any one ofthe claims 24 through 26, characterised in that the first communicationsprotocol is selected from the class of protocols comprising TLS andWTLS.
 28. A method according to any one of the claims 24 through 27,characterised in that the step of authenticating the firstcommunications protocol comprises a handshake operation, and the firstidentification key is derived from a shared secret established duringthe handshake operation.
 29. A method according to any one of the claims24 through 28, characterised in that the second service communicationsdevice is a server computer of a communications network.
 30. A methodaccording to any one of the claims 24 through 29, characterised in thatthe step of exchanging the first identification key further comprisesthe steps of establishing a communications link to the second servicecommunications device, and storing in a first storage means anidentification code related to the first identification key, theidentification code further being made available at to the first servicecommunications device; the step of performing the initialisationprocedure further comprises the steps of receiving the identificationcode from the first service communications device, and, on the basis ofthe identification code, retrieving the first identification key.
 31. Amethod according to claim 30, characterised in that the secondcommunications link uses a protocol selected from the class of protocolscomprising TCP/IP and WAP.
 32. A method according to any one of theclaims 24 through 31, characterised in that the method further comprisesthe step of performing a subscription transaction via the firstcommunications protocol.
 33. A computer program comprising program codemeans for performing all the steps of any one of the claims 24 to 32when said program is run on a microprocessor.
 34. A computer programproduct comprising program code means stored on a computer readablemedium for performing the method of any one of the claims 24 to 32 whensaid computer program product is run on a microprocessor.
 35. A computerprogram product according to claim 34, characterised in that thecomputer readable medium is a SIM card.
 36. An identification key whenused as the first identification key in a method according to any one ofthe claims 24 through 32.